Approved by Board of Trustees
Effective Date: June 5, 2017
Responsible Division: President
Responsible Office:  Audit and Consulting Services
Responsible Officer: Chief Audit Executive

I. Purpose

This policy addresses responsibilities of the internal audit function, staffing, audit planning, and reporting on internal audit activities at Middle Tennessee State University (MTSU or University).

II. Definitions

A.  Internal Auditing. An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

B.  Risk. The possibility of an event occurring that will have an impact on the achievement of University goals and objectives. Risk is measured in terms of the impact an event may have and the likelihood that the event will occur. To optimize the achievement of the University's goals and objectives, the Board of Trustees (Board) and management act to minimize the related risks by implementing reasonable procedures to control and monitor the risks.

C.  Governance Processes. The combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Examples of such processes include the organizational structure within the University or a department; policies, standards, and procedures instituted by the Board or management to direct and control a particular activity and preparation and review procedures for preparing reports such as annual financial statements, federal grant, or financial aid reports.

III. General Statement

A.  The internal audit function at MTSU is the responsibility of the office of Audit and Consulting Services which contributes to the improvement of the University's operations by providing objective and relevant assurance regarding risk management, control, and governance processes to management and the Board.

B.  Management is responsible for evaluating the University's risks and establishing and maintaining adequate controls and processes.

C.  To provide relevant information, Audit and Consulting Services will consider the goals of the University, management's risk assessments, and other input from management in determining its risk-based audit activities.

IV. Internal Audit Standards

Audit and Consulting Services adheres to the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing and Code of Ethics. T.C.A. § 4-3-304(9). The Institute of Internal Auditors International Professional Practices Framework (IPPF) incorporates the International Standards for the Professional Practice of Internal Auditing and Code of Ethics into one document.

A.  The IPPF includes attribute standards, which address the expected characteristics of organizations and individuals performing internal audit activities, and pe